Securing Python dependencies: PyPI best practices

Python’s Package Index (PyPI) is a treasure trove of open-source libraries—but it’s also a prime target for attackers. Malicious packages, typosquatting, and vulnerable dependencies can introduce severe risks. Here’s how to use PyPI safely.

Key practices for secure Python development

  1. Avoid Malicious Packages

Typosquatting is real: Attackers upload packages with names like requets (instead of requests) to trick developers.

Always double-check spellings before installing:

pip install requests  # Correct  
pip install requets   # Malicious?

Research unfamiliar packages (check GitHub stars, maintainers, release history).

  1. licence Compliance

Know what you’re using: Some licences (e.g., GPL) impose strict redistribution rules. Tools like pip-licences or fossa can audit licence risks.

  1. Scan for vulnerabilities

Bandit: A static analysis tool to find security flaws in Python code:

pip install bandit  
bandit -r your_project/

Ochrona: Scans dependencies for known CVEs:

pip install ochrona  
ochrona check -r requirements.txt

  1. Use Pipenv (or Poetry) for Dependency Management

Why? Combines pip and virtualenv with:

  • A Pipfile (abstract dependencies).

  • A Pipfile.lock (pinned, tested versions).

Installation:

pip install pipenv  
pipenv install requests  # Adds to Pipfile  
pipenv lock             # Generates Pipfile.lock

  1. Security pitfalls in Python

Only import trusted packages. Imports execute code:

import malicious_module  # Runs code on import!

Keep certifi updated: Never pin its version—always use the latest. Never disable cert verification:

# NEVER DO THIS 
requests.get("https://example.com", verify=False)

  1. Safe data handling

Avoid unsafe deserialization:

  • PyYAML: Use yaml.safe_load() instead of yaml.load().

  • Pickle: Never load pickled data from untrusted sources.

Dependency security checklist

  • Verify package names before installing.

  • Audit licences for compliance risks.

  • Scan code with Bandit; scan dependencies with Ochrona.

  • Use Pipenv for reproducible environments.

  • Never bypass SSL checks or pin certifi.

  • Prefer safe_load for YAML/JSON parsing.

When things go wrong

  • Found a malicious package? Report it to PyPI’s security team.

  • Vulnerable dependency? Update immediately or fork/fix.

More

Last update: 2025-05-12 14:39